WHAT IS CLAIMED IS: 

1 1 . A method for detecting clones (unauthorized duplicate identities) of 

2 the client, the method comprising: 

3 forwarding a first signal from a client to a KDC, the first signal for requesting 

4 access to a server; 

5 verifying that the client is authorized to access the server; 

6 transmitting a ticket from the KDC to the client, the ticket for providing access 

7 to the server, wherein the ticket is valid for a time T; 

8 receiving a second signal from an entity, the second signal for requesting 

9 access to the server, wherein the entity has identifying information identical to the client; and 

1 0 if the second request is received prior to expiration of the time T, either 

1 1 marking the entity as a possible clone or denying the second request in order to prevent 

12 access to the server. 

1 2. The method of claim 1 further comprising 

2 providing a session key in the ticket, the session key being valid for a 

3 designated duration. 

1 3 . The method of claim 2 wherein the designated duration is for 

2 determining the time T for which the ticket is valid. 

1 4. A system for detecting clones of a client within a communication 

2 network, the system comprising: 

3 a KDC; 

4 an application server communicably coupled to the KDC; 

5 a client for providing a first request to access the application server; 

6 responsive to the first request, the KDC forwarding a first ticket for accessing 

7 the application server, the first ticket being valid for a time duration T; 

8 the KDC receiving a second request to access the application server, the 

9 second request being received from an entity having identifying information identical to the 

10 client; and 

1 1 if the second request is received during time T, the KDC denying the second 

12 request to prevent the entity from accessing the application server. 

1 5 . The system of claim 4 wherein the entity is a clone. 

1 6. The system of claim 5 wherein the identifying information is a client 

2 identifier copied by the clone. 
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1 7. The system of claim 4 wherein the ticket further comprises an 

2 encrypted session key. 

1 8. The system of claim 7 further comprising 

2 the client deriving a copy of the session key for accessing the application 

3 server. 

1 9. The system of claim 8 wherein the session key is derived using a key 

2 agreement algorithm. 

1 10. The system of claim 9 wherein the key agreement algorithm is the 

2 Diffie-Hellman algorithm. 

1 11. The method of claim 1 further comprising 

2 using a key algorithm for authenticating communication between the KDC and 

3 the client such that all clients wishing access to the server are required to contact the KDC. 

1 12. The method of claim 4 further comprising 

2 requiring all entities wishing to access the server to communicate with the 

3 KDC. 

1 13. A system for detecting clones (duplicate identities) of an authorized 

2 computing device in a communication network, the system comprising: 

3 a first computing device; 

4 a second computing device authorized to access the first computing device; 

5 a key management means for providing to the second computing device, a 

6 session key for accessing the first computing device, the session key being invalid after a 

7 period T; 

8 the key management means receiving one or more requests from an entity, to 

9 access the first computing device, the entity having identifying information identical to the 

10 second computing device; and 

1 1 the key management means permitting the entity to access the first computing 

12 device, provided the number of access requests received during period T, is M or less 

13 requests. 

1 14. The system of claim 13 wherein the key management means utilizes 

2 Diffie-Hellman key agreement algorithm to distribute session keys. 

1 15. The system of claim 13 further comprising 

2 the key management means flagging the entity if more than M requests are 

3 received from the entity. 
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1 16. The system of claim 13 wherein the identifying information is an 

2 identifier for the second computing device. 

1 17. The system of claim 13 further comprising 

2 the key management means denying access to the first computing device, if 

3 more than M requests are received. 

1 18. A system for detecting clones of a client within a communication 

2 network, the system comprising: 

3 a KDC; 

4 a server communicably coupled to the KDC; 

5 a client for receiving a ticket from the KDC, wherein the ticket is for accessing 
h* 6 the server, and is valid for a time duration T; 

|5[ 7 the server receiving from the client a first request to access the server, the first 

; ^ 8 request being accompanied by the ticket; 

hj 9 the server recording the time duration T for which ticket is valid; 

ijf 10 the server receiving from an entity, a second request to access the server, the 

iS 1 1 entity having identifying information identical to the client and 

iij 12 the server either flagging or denying the second request to prevent access to 
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the server, if the second request is received during the time duration T. 



3 1 19. The system of claim 18 further comprising 

2 the KDC encrypting a session key within the ticket; and 

3 the client extracting a copy of the session key in a manner that no entity other 

4 than the client can access the session key. 

1 20. The system of claim 18 further comprising 

2 necessitating by the system, all clients wishing to access the server to 

3 communicate with the KDC. 

1 21. The method of claim 1 8 wherein a ticket granting server is the server, 

2 and the ticket is a ticket granting ticket. 

1 22. A method for detecting clones in a communication network, the 

2 method comprising: 

3 providing a ticket to an authorized client, the ticket for accessing a KDC, the 

4 ticket having a session key valid for a time duration T; 

5 receiving a request to access the KDC, the request being received from an 

6 entity with the same identifying information as the authorized client; and 
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7 if the request is received during time T, flagging the entity as a possible clone 

8 or denying the request to access to the KDC. 

1 23 . The method of claim 22 wherein the ticket is a TGT (ticket granting 

2 ticket). 

1 24. The method of claim 1 wherein the KDC marks the entity as a possible 

2 clone or denies the second request in order to prevent access to the server. 

1 25. The method of claim 1 wherein the server marks the entity as a 

2 possible clone or denies the second request in order to prevent access to the server. 

1 26. The method of claim 1 8 wherein the KDC is the server. 
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